Flow-based Identification of Failures Caused by IPv6 Transition Mechanisms Computer Networks and Distributed Systems School of Engineering and Sciences Jacobs University Bremen Bremen, Germany June 2012 Vaibhav Bajpai, Nikolay Melnikov, Anuj Sehgal, Jürgen Schönwälder AIMS 2012, IFIP Luxembourg
24
Embed
Flow-based Identification of Failures Caused by …...NAT64/DNS64 clients are IPv6-only. DNS64 generates fake AAAA records for a v4 destination - all devices and applications in NAT64
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Flow-based Identification of Failures Caused by IPv6
Transition Mechanisms
Computer Networks and Distributed SystemsSchool of Engineering and Sciences
Jacobs University BremenBremen, Germany
June 2012
Vaibhav Bajpai, Nikolay Melnikov, Anuj Sehgal, Jürgen Schönwälder
AIMS 2012, IFIP Luxembourg
Overview
Motivation and Goals
Investigated v4-to-v6 Transitioning Technologies
NetFlow and NFQL
Experimental Setups and Results
Failure Analysis
Conclusion
NAT64Dual-Stack Lite
Overview
Motivation and Goals
Investigated v4-to-v6 Transitioning Technologies
NetFlow and NFQL
Experimental Setups and Results
Failure Analysis
Conclusion
NAT64Dual-Stack Lite
(1990s) IETF defined IPv6
(Feb 2011) IANA exhausts its pool of IPv4 addresses
(April 2011) APNIC released its final /8 block; last stage
...
an Inflection Point[1, 2]
4/23
lack of any economic advantage to deploy IPv6lack of IPv6-only killer applicationshuge amount of IPv4-only contentlarge number of legacy IPv4-only applications
Why the delay?
wider/layered NAT deployments
Possible solutions?
transitioning mechanisms that do NOT disruptIPv4 content delivery over IPv6
an Inflection Point
5/23
Events Enabling the Migration
(June 2011) World IPv6 Day
(June 2012) World IPv6 Launch Day
(January 2009) Google over IPv6 [3, 4]
(By 2009) Production quality IPv6 implementations available on all major OS
6/23
(Since 2004) Native IPv6 available at Jacobs University Bremen
Goals
detect which applications, protocols and online services fail when operating under IPv6 transitioning mechanisms.
investigate whether it’s possible to automate the failure identification by formulating queries on generated NetFlow flow records.
7/23
Overview
Motivation and Goals
Investigated v4-to-v6 Transitioning Technologies
NetFlow and NFQL
Experimental Setups and Results
Failure Analysis
Conclusion
NAT64Dual-Stack Lite
Dual-Stack Lite
IPv6
IPv4
AFTR/CGNATIPv4 in IPv6 tunnel
Native IPv6
IPv4 end-user
NAT44IPv4 end-user
IPv4 end-user
IPv6 CPE
IPv6-only link between the customer and ISP.
IPv4-in-IPv6 encapsulation at the CPE.
Decapsulation and NAT44 at the ISP CGNAT.
+ public IPv4 address shared between several customers
- customers end needs an upgrade with the CPE functionality
[5]
9/23
NAT64/DNS64
clients are IPv6-only.
DNS64 generates fake AAAA records for a v4 destination
- all devices and applications in NAT64 domain must be v6 ready.- applications using direct v4 literals will fail.
NAT64
IPv4 NetworkIPv6 NetworkDNS64
v6 to v4 packet header translation at NAT64
- DNSSEC validation will fail.
[6]
10/23
Overview
Motivation and Goals
Investigated v4-to-v6 Transitioning Technologies
NetFlow and NFQL
Experimental Setups and Results
Failure Analysis
Conclusion
NAT64Dual-Stack Lite
NetFlow and NFQL
protocol to aggregate traffic as flow-records sharing some common properties defined by a set of flow-keys
exporter exports flow-records via a predefined expiration rule
NFQL:
a stream-based flow-record query language
Cisco NetFlow:
helps describe complex relationships among set of flows.
12/23
Overview
Motivation and Goals
Investigated v4-to-v6 Transitioning Technologies
NetFlow and NFQL
Experimental Setups and Results
Failure Analysis
Conclusion
NAT64Dual-Stack Lite
Dual-Stack Lite
using kernel module to bring up a tunnel
ip_tunnel
ipip6
using for IPv4 forwarding and NATing with the public IPv4 address
iptables
IPv6 CPE and CGNAT running Debian while IPv4 only host running Mac OS X
detailed setup instructions are at [7]
[5]
14/23
NAT64/DNS64
IPv4
IPv6
Real IPv4 DNS Server
TOTD Proxy Server
IPv6 Only Host
NAT64 ServerPrex: ���������
IPv4-Only Web Server
DNS Query over IPv4��� ���� �
Forward DNS Query��� ���� �
DNS Reply�� ��� �� ���
DNS Reply�������������������
1
2
3
4
detailed setup instructions are at [7]
DNS64 box runs to forward request to 8.8.8.8 and return back a fake IPv6 address
totd
IPv6-only host runs Mac OS X while DNS64 and NAT64 boxes run Debian
NAT64 box runs to perform IP-ICMP translation and to maintain a NAT binding table
ecdysis
[6]
15/23
ResultsApplications and Services Tested DS-Lite NAT64
- Webmail: Gmail using TLSv1- Media: YouTube (Flash, HTML5)- Google Maps- HTTP and FTP Downloads- Web Chat: Gmail, Yahoo, Freenode IRC
✔ ✔
- IMAP: Gmail and Microsoft Exchange- POP3: Gmail- SMTP: Gmail and Microsoft Exchange